


whats this? 


The man page for tcpdump starts like this: 


NAME 
tcpdump - dump traffic on a network 


SYNOPSIS 
tcpdump [ -AbdDefhHIJKLLnNOpqStuUvxxX# ] [ -B buffer size ] 

[ -c count ] 

[ -C file size ] [ -G rotate seconds ] [ -F file ] 

[ -iinterface ] [ -j tstamp type ] [ -m module ] [ -M secret ] 

[ --number ] [ -Q in[|out|inout ] 

[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ] 

[ -W filecount ] 

[ 

[ 

[ 

[ 

[ 














-E spi@ipaddr algo:secret,... ] 
-y datalinktype ] [ -z postrotate-command ] [ -Z user ] 





--time-stamp-precision-tstamp precision ] 
--immediate-mode ] [ --version ] 
expression ] 






that is So MANY 
options omg 


it's okY you 
only need to 


know (ike 3V 












Tm going to tell you 
Why 1 s tepdump and 
how to get stacted V 





@bOrk 
http: /ivins.ca 
pl) 


my blog l 


What is tcpdump for? 


tcpdump captures network traffic 
and prints it out for you. 


For example! Yesterday DNS lookups 


on my laptop were Slow 


00° f hat's happening is 


1 know, I! 
use tcpdump 





$ sudo tcpdump -n -i any port S3 
ONS queries 


10:52:03.992138 IP 192.168.1.241.63019-2] 192.168.1.1.53: 
10:52:08.972719 IP 192.168.1.241.63019-7] 192.168.1.1.53: 
10:52:13.919782 IP 192.168.1.241.63019—/ 192.168.1.1.53: 


10:52:13.928894 IP 192.168.1.1.53 > 192.168.1.241.63019: 


A 54.186.13.33 (80) 


DNS res ponse 


44000* A? ask.metafilter.com. (36) 
44000+ A? ask.metafilter.com. (36) 
44000+ A? ask.metafilter.com. (36) 
44000 2/0/0 CNAME metafilter.com., 


This means that there were 3 DNS queries 
(at 10:52:03, 10:52:08, 10:52:13) , but only 


the 3% one got a response | 


T Figured my router was probably the problem, 
I restarted it, Gnd my internet was fast again! 


Lets learn how to debug problems with tcpdump! 


Questions YOU Can answer 
with tcpdump 


— what ONS queries iS my laptop sending? 
“tepdump -i any port 53^" 
> T hove a server running oo port 1337. 
Ace any ackets arriving at that port 
at ALL??? 
H tcpdump -t any poct 1337" 


— What packets are coming cato mu server 
from LP 12.3.42 


“tcpdump port 1337 and host 1.2.3.4" 


=> show me all DAS queries that fail 
tcpdump odpt11) £Oxf ==" 
( complical ed but it works !) 
— how long ace the TCP connections 
On this box lasting right now? 
“tcp dump -wW packets. pcap M 
and analyze packets.pcap in Wireshark 


what tcpdump output means 


Every line of tcpdump output represents a packet. 
The pacts I usually pay attention to are: 


X Source «dest IP address and port 
x time stamp 


X which TCP flags ( 
good For spotti the beginni 
of a TCP connection ) j ^3 Seg J 


* the DNS query, foc DNS packets 
* that's itt 
UDP packet : 


doe! dest IP 
+imestTamp Source LP poct (my router) pact 
~ 





10:52:03.992138 IP 192.168.1.241.63019 > 192.168.1.1.53: 44000+ 
A? ask.metafilter.com. (36) ^ 


Duce n oce DNS query ID 
ONS query 
TCP Flags 
TC? packet: "." means M 


11:36:26.353797 IP 192.168.1.241.45296 > 192.241.182.146.443: Flags [.], 
ack 2291349910, win 319, options [nop,nop,TS val 10967552 ecr 580196754], 
length 0 


Ever seen a “Connection refused error? Here's what that 
looks like in tcpdump! "Y 


12:16:38.944390 IP6 localhost.48680 » localhost.8999: Flags [S] 
12:16:38.944458 IP6 localhost.8999 > localhost.48680: Flags [R.] 


RST “Ack 
We sent a SYN to open the connection but the server replied 


With a “RST” packet. That gets translated 
to “connection refused - 


BPF filters T 


tcpdump Uses a small language 

Called BPF to let you Filter packets. 
When you run $ sudo tcpdump port 53, 
“poct 53” isa BPFE Filter. Here's a quick Quidel 


Sre port %0 


dest port 80 
tcp port 80 


A port 523 


Checks if the source port GR 
the dest port is S3. Matches 


TCP poct S3 and UDP poct 53. indes 
So ale ] 
"host 192.168.2.2 sc hast NES 


dest host |.2.3.4 


checks if the source oc 


dest IP ig 142.168.3.2. + udp L113 Oxf ==3 


You can do bit math like 
this on packet Content S . 
post ees This checks for the ONS 
R Pe response Code “NX DOMAIN “T 
y6v can use ‘and’ , (3. googled to Find this 
ares ise and it works ! w) 
J 


Q2) Wireshark Q2 


I want to knoow 
more about 

what's ca my 
Packets V 













You want 
wireshackV 





Wireshark iS an incredibly, 
powerful packet analysis tool V 






what protocols HTTP’ reer 
do yoo understand , Ons! 
ARP! te! 
Wireshark? MSN AIM! AOL! 
Ethernet ' Bluetooth | 
X A lot, okay? 





Thing s Wireshark has. 


X nice graphical interface | * search through 
A it can connect TCP your packets 
Packets from the same easily Y 


Connection Y 


TF you want to analyze packets From tcpdump with 
Wire shack, you can either : 


(D) save a .pcap file and open it with Wireshark 
© use this incantation to pipe tcp dump output 
into Wireshark! 


ssh some.remote.host tcpdump -pni any -w - -s0 -U port 8888 
| wireshark -k -i - 


my 9 Favourite y 
Command line arguments 
T use these 3 arguments the most : 


Which network interface to capture 
packets on. I offen use ti any |. 
The default interface tcpdump picks 


is foc isn't alway s what you want. 


( 
I 
l 
l 
RE i 
interface | Example: sudo tcpdump -i lo 

shows you packets on the local 


“loopback” interface. 


L 
1 
; Instead of Printing out packets, 
I 
' 


is for write them to a file | This is 
write VERY USEFUL foc analyzing the 
packels later. T use it all the time 


Example: sudo tcpdump host 8.8.8.8 
TW my- packets. pcap 


Saves packets to/from 8.8.8.8 toa file 
I 


When writing to a file, be carefull 

:.— You don't want to accidentally fill up 

is foc 1 yout hard drive. '-€ (0000; will only 
count Capture 10,000 packets. 


Example: sudo tcpdump -c 1000 
TW my- pack ets. pcap 
dest port 8080 





and here are a few more Qood ones: 


This prints oot the packet's contents! 
For example, Suppose T have a 
webserver on port 7777. 


$ Sudo tcpdump -A dest port 7777 


will show me all the HTTP requests 
being Sent to that server. Only, works 
for HTTP, not HTTPS. 


(I like n rep more than tcpdump -A for 
looking at HTTP request bodies though & ) 


ux 


vt tpa 
EAA 
rd " 

iS for 
ethernet 


e mU MA mE 


By default, tcpdump will translate 
TP addresses to hostnames. 1-01 

Forces it to just always print out 

the IP address 


Includes Ethernet information ! This 
shows you the MAC address that 
the packet came from 


Example : Sudo tcpdump =e ~i any 
port 443 


makes sure you only get Packets 
that ace to or from your computer 


network administration tool S 


Finally, there are a lot mare tools than 
tcpdump f We wont explain them hee but 
here's a list ! 


"are these computers ` does that “eee vent 
even connected? ^ domain exist 7" that port 
what's my configures interfaces, ig d 
2" routes, ond more , 
TP address? cuu ARP table! 
if Can fig. 
traceroute /mtr ing 
| 
Arep foc What servers are on a 
Your network the ipd to that connections 
Server ? Manually 1 





nftables / 
iptables (yes geth tos it 
set up Firewalls Configure socket Understand 


and NATY bu ffer Sizes, and more! your ethernet 
Connections 


d 
8 


in ur network look up a what ports 
Scanning ur ports domain are being used? 
i mm 
See if a port 0^ cant forget Configure Socket 
nother server this one d 


bu ffer Sizes, and mare. 
G 1S Open 


Network manager, 


GUI tool to configure 
the network On your 





n ethog s /ab/nload 


Ip aE Ene erf/iperf 
if top/ nel sn fe 











lots of performance / 
benchmarking tools 
(they all do different things) 


laptop 


Ping, but it Set Lp a like netcat, 
uses TCP VPN Y but more 
feature ful 












nou that T 
understand the 
basics, the man 
Page isn't so bad! 





thanks so much 
for reading 7 






i Y 


like this ? 
there are more 
Zines at: 
http://jvns.ca/zines 
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